Skip to main content

CHKP002 - Check Point TLS/SSL Certificate Error

Agent error code #CHKP002 indicates that the Knocknoc agent opened a connection to the Check Point gateway but could not establish a trusted TLS session. The gateway's certificate was not accepted by the agent host.

Common causes include:

  • The gateway presents a self-signed certificate, or one issued by an internal CA the agent host does not trust
  • The certificate's hostname does not match the Gateway Hostname configured on the Knoc
  • The certificate has expired or is not yet valid
  • A TLS-intercepting proxy on the path is presenting its own certificate

Steps to Resolve

Trust the Gateway's Certificate Authority

  1. Obtain the CA certificate that signed the gateway's Web API certificate
  2. Install it in the system trust store on the host running the Knocknoc agent
  3. Restart the agent so it picks up the new trust anchor

Match the Certificate Hostname

  1. Confirm the Gateway Hostname on the Knoc matches a name on the gateway's certificate (Common Name or Subject Alternative Name)
  2. If the certificate is issued to the cluster VIP, use that name rather than an individual member's

Use Insecure for Lab Gateways Only

  1. If the gateway uses a self-signed certificate and you accept the risk on a trusted network, tick Insecure in the connection configuration
  2. Leave Insecure unticked in production. It disables certificate verification entirely

For the full setup, see the Check Point setup guide.

Back to top